Post on 20-May-2020
transcript
Breaking State-of-the-Art Binary Code ObfuscationA Program Synthesis-based Approach
REcon BrusselsFebruary 2, 2018
Tim Blazytko, @mr_phrazerhttp://synthesis.to
Moritz Contag, @dwuidhttps://dwuid.com
Chair for Systems SecurityRuhr-Universität Bochum
<firstname.lastname>@rub.de
Setting the Scene
Obfuscated code, semantics?
Traditional deobfuscation techniques
Orthogonal approach
2
Motivation
Prevent Complicate reverse engineering attempts.
• Intellectual Property• Malicious Payloads• Digital Rights Management
“We achieved our goals. We were uncracked for 13 whole days.”
– Martin Slater, 2K Australia, on BioShock (2007).
3
Motivation
Prevent Complicate reverse engineering attempts.
• Intellectual Property• Malicious Payloads• Digital Rights Management
“We achieved our goals. We were uncracked for 13 whole days.”
– Martin Slater, 2K Australia, on BioShock (2007).
3
How to protect software?
Approaches
Abuse shortcomings of file parsers and other tools of the trade.
• fld tbyte ptr [__bad_values] crashing OllyDbg 1.10.• Fake SizeOfImage crashing process dumpers.
Detect artifacts of the debugging process.
• PEB.BeingDebugged bit being set.• int 2D and exception handling in debuggers.
5
Approaches
Abuse shortcomings of file parsers and other tools of the trade.
• fld tbyte ptr [__bad_values] crashing OllyDbg 1.10.• Fake SizeOfImage crashing process dumpers.
Detect artifacts of the debugging process.
• PEB.BeingDebugged bit being set.• int 2D and exception handling in debuggers.
5
Approaches
Abuse shortcomings of file parsers and other tools of the trade.
• fld tbyte ptr [__bad_values] crashing OllyDbg 1.10.• Fake SizeOfImage crashing process dumpers.
Detect artifacts of the debugging process.
• PEB.BeingDebugged bit being set.• int 2D and exception handling in debuggers.
5
Requirements
1. We want the technique to be semantics-preserving.
2. We want to avoid external dependencies, focus on code only.
3. We want techniques where effort(deploy)≪ effort(attack).
Preserve the observable behavior of the application.
6
Requirements
1. We want the technique to be semantics-preserving.
2. We want to avoid external dependencies, focus on code only.
3. We want techniques where effort(deploy)≪ effort(attack).
Assume white-box attack scenario.
6
Requirements
1. We want the technique to be semantics-preserving.
2. We want to avoid external dependencies, focus on code only.
3. We want techniques where effort(deploy)≪ effort(attack).
Anti-Debugging tricks are effort 1:1.
6
Code Obfuscation Techniques
Opaque Predicates
A
B
C
ß
t
A
f
f
B
t
C
t
C'
f
Opaque Predicates
call GetCurrentProcess
cmp eax, 0xffffffff
je __block_a
__block_a: …
…
__block_b: …
…
true false
9
Opaque Predicates
call GetCurrentProcess
cmp eax, 0xffffffff
je __block_a
Opaque True Predicate
__block_a: …
…dead code 💀
always taken never taken
9
Opaque Predicates
⟵ opaque predicatecall GetCurrentProcess
cmp eax, 0xffffffff
je __block_a
Opaque True Predicate
__block_a: …
…dead code 💀
always taken never taken
9
Opaque Predicates
⟵ opaque valuecall GetCurrentProcess
cmp eax, 0xffffffff
je __block_a
Opaque True Predicate
__block_a: …
…dead code 💀
always taken never taken
9
Opaque Predicates
Opaque True Predicate
mov eax, 0xffffffff
cmp eax, 0xffffffff
je __block_a
__block_a: …
…dead code 💀
always taken never taken
9
Opaque Predicates
Opaque False Predicate
mov eax, 0xffffffff
cmp eax, 0xdeadbeef
je __block_a
__block_b: …
…dead code 💀
always takennever taken
9
Opaque Predicates
Random Opaque Predicateduplicated block
call rand
cmp eax, 0xdeadbeef
je __block_a
__block_a: …
…
__block_a': …
…
semanticallyequivalent
true false
≡
9
Opaque Predicates
⊕ Increase in complexity (branch count, McCabe)
⊕ Can be built on hard problems (e. g., aliasing)
⊕ Forces analyst to encode additional knowledge
⊕ Hard to solve statically
⊖ Solved for free using concrete execution traces
B Examples
– GetCurrentProcess() ⇒ −1– fldpi1 ⇒ st(0) = π
– x2 ≥ 0 ∀x
– x+ 1 ̸= x ∀x
– pointer A must-alias pointer B
– checksum(code) = 0x1c43b5cf
10
Opaque Predicates
⊕ Increase in complexity (branch count, McCabe)
⊕ Can be built on hard problems (e. g., aliasing)
⊕ Forces analyst to encode additional knowledge
⊕ Hard to solve statically
⊖ Solved for free using concrete execution traces
B Examples
– GetCurrentProcess() ⇒ −1– fldpi1 ⇒ st(0) = π
– x2 ≥ 0 ∀x
– x+ 1 ̸= x ∀x
– pointer A must-alias pointer B
– checksum(code) = 0x1c43b5cf
10
Code Obfuscation Techniques
Virtual Machines
Virtual Machines
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov ecx, [esp+4]
xor eax, eax
mov ebx, 1
mov eax, ebx
ret
12
Virtual Machines
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov ecx, [esp+4]
xor eax, eax
mov ebx, 1
mov eax, ebx
ret
12
Virtual Machines
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov ecx, [esp+4]
xor eax, eax
mov ebx, 1
mov eax, ebx
ret
12
Virtual Machines
__bytecode: vld r0 vpop r1 vld r2 vld r1 vadd r1 vld r2 vpop r0
vld r1vpop r2vldi #1vld r3vsub r3vld #0veq r3vbr0 #-0E
➟
made-up instruction set
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov ecx, [esp+4]
xor eax, eax
mov ebx, 1
mov eax, ebx
ret
12
Virtual Machines
➟
made-up instruction set
__secret_ip:
push __bytecode
call vm_entry
__bytecode: db 54 68 69 73 20 64 6f db 65 73 6e 27 74 20 6c db 6f 6f 6b 20 6c 69 6b db 65 20 61 6e 79 74 68 db 69 6e 67 20 74 6f 20 db 6d 65 2e de ad be ef
mov ecx, [esp+4]
xor eax, eax
mov ebx, 1
mov eax, ebx
ret
12
Virtual Machines
➟
made-up instruction set
__secret_ip:
push __bytecode
call vm_entry
__bytecode: db 54 68 69 73 20 64 6f db 65 73 6e 27 74 20 6c db 6f 6f 6b 20 6c 69 6b db 65 20 61 6e 79 74 68 db 69 6e 67 20 74 6f 20 db 6d 65 2e de ad be ef?
mov ecx, [esp+4]
xor eax, eax
mov ebx, 1
mov eax, ebx
ret
12
Virtual Machines
Core Components
VM Entry/Exit Context Switch: native context⇔ virtual contextVM Dispatcher Fetch–Decode–Execute loopHandler Table Individual VM ISA instruction semantics
• Entry Copy native context (registers, flags) to VM context.
• Exit Copy VM context back to native context.
• Mapping from native to virtual registers is often 1:1.
13
Virtual Machines
Core Components
VM Entry/Exit Context Switch: native context⇔ virtual contextVM Dispatcher Fetch–Decode–Execute loopHandler Table Individual VM ISA instruction semantics
1. Fetch and decode instruction
2. Forward virtual instruction pointer
3. Look up handler for opcode in handler table
4. Invoke handler
FDElook up
handle_vpush
handle_vadd
handle_vxor
handle_vexit
handle_vpop…
handle_vpush
handle_vadd
handle_vxor
handle_vexit
handle_vpop
…
13
Virtual Machines
Core Components
VM Entry/Exit Context Switch: native context⇔ virtual contextVM Dispatcher Fetch–Decode–Execute loopHandler Table Individual VM ISA instruction semantics
• Table of function pointers indexed by opcode
• One handler per virtual instruction
• Each handler decodes operands andupdates VM context
FDElook up
handle_vpush
handle_vadd
handle_vxor
handle_vexit
handle_vpop…
handle_vpush
handle_vadd
handle_vxor
handle_vexit
handle_vpop
…
13
Virtual Machines
14
Virtual Machines
FDE
Individual Handlers
} VM Entry
VM Dispatcher (FDE)}look up
handle_vpush
handle_vadd
handle_vxor
handle_vexit
handle_vpop…
handle_vpush
handle_vadd
handle_vxor
handle_vexit
handle_vpop
…
VM Exit(as handler)
14
Virtual Machines
__vm_dispatcher:mov bl, [rsi]inc rsimovzx rax, bljmp __handler_table[rax * 8]
VM Dispatcher
rsi – virtual instruction pointerrbp – VM context
__handle_vnor:mov rcx, [rbp]mov rbx, [rbp + 4]not rcxnot rbxand rcx, rbxmov [rbp + 4], rcxpushfpop [rbp]jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
15
Virtual Machines
__vm_dispatcher:mov bl, [rsi]inc rsimovzx rax, bljmp __handler_table[rax * 8]
VM Dispatcher
rsi – virtual instruction pointerrbp – VM context
__handle_vnor:mov rcx, [rbp]mov rbx, [rbp + 4]not rcxnot rbxand rcx, rbxmov [rbp + 4], rcxpushfpop [rbp]jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
15
Virtual Machine Hardening
Virtual Machines
Hardening Technique #1 – Obfuscating individual VM components.
• Handlers are conceptually simple.
• Apply traditional code obfuscation transformations:
• Substitution (mov rax, rbx ß push rbx; pop rax)• Opaque Predicates
• Junk Code
• …
mov eax, dword [rbp]mov ecx, dword [rbp+4]cmp r11w, r13wsub rbp, 4not eaxclccmccmp rdx, 0x28b105fanot ecxcmp r12b, r9b
17
Virtual Machines
Hardening Technique #1 – Obfuscating individual VM components.
• Handlers are conceptually simple.
• Apply traditional code obfuscation transformations:
• Substitution (mov rax, rbx ß push rbx; pop rax)• Opaque Predicates
• Junk Code
• …
mov eax, dword [rbp]mov ecx, dword [rbp+4]cmp r11w, r13wsub rbp, 4not eaxclccmccmp rdx, 0x28b105fanot ecxcmp r12b, r9b
17
Virtual Machines
Hardening Technique #2 – Duplicating VM handlers.
• Handler table is typically indexed using one byte (= 256 entries).
• Idea: Duplicate existing handlers to populate full table.
• Use traditional obfuscation techniques to impede code similarity analyses.
Goal: Increase workload of reverse engineer.
18
Virtual Machines
Hardening Technique #2 – Duplicating VM handlers.
• Handler table is typically indexed using one byte (= 256 entries).
• Idea: Duplicate existing handlers to populate full table.
• Use traditional obfuscation techniques to impede code similarity analyses.
Goal: Increase workload of reverse engineer.
18
handle_vpush
handle_vadd
handle_vnor
handle_vpop
handle_vpush
handle_vadd
handle_vnor
handle_vpop
handle_vpush
handle_vadd
handle_vnor''
handle_vpop
handle_vnor'
handle_vadd'
handle_vadd''
handle_vnor
➟
Virtual Machines
Hardening Technique #3 – No central VM dispatcher.
• A central VM dispatcher allows attacker to easily observe VM execution.
• Idea: Instead of branching to the central dispatcher, inline it into each handler.
Goal: No “single point of failure”.
(Themida, VMProtect Demo)
20
FDE
handle_vnor handle_…
handle_vnor handle_…
FDE FDE
Virtual Machines
Hardening Technique #4 – No explicit handler table.
• An explicit handler table easily reveals all VM handlers.
• Idea: Instead of querying an explicit handler table,encode the next handler address in the VM instruction itself.
Goal: Hide location of handlers that have not been executed yet.
(VMProtect Full, SolidShield)
23
Virtual Machines
Hardening Technique #4 – No explicit handler table.
• An explicit handler table easily reveals all VM handlers.
• Idea: Instead of querying an explicit handler table,encode the next handler address in the VM instruction itself.
Goal: Hide location of handlers that have not been executed yet.
(VMProtect Full, SolidShield)
23
Virtual Machines
Hardening Technique #4 – No explicit handler table.
• An explicit handler table easily reveals all VM handlers.
• Idea: Instead of querying an explicit handler table,encode the next handler address in the VM instruction itself.
Goal: Hide location of handlers that have not been executed yet.
(VMProtect Full, SolidShield)
opcode op 0 op 1
23
Virtual Machines
Hardening Technique #4 – No explicit handler table.
• An explicit handler table easily reveals all VM handlers.
• Idea: Instead of querying an explicit handler table,encode the next handler address in the VM instruction itself.
Goal: Hide location of handlers that have not been executed yet.
(VMProtect Full, SolidShield)
opcode op 0 op 1 next handler addr
23
Virtual Machines
Hardening Technique #5 – Blinding VM bytecode.
• Global analyses on the bytecode possible, easy to patch instructions.
• Idea:• Flow-sensitive instruction decoding (“decryption” based on key register).
• Custom decryption routine per handler, diversification.
• Patching requires re-encryption of subsequent bytecode.
Goal: Hinder global analyses of bytecode and patching.
25
Virtual Machines
Hardening Technique #5 – Blinding VM bytecode.
• Global analyses on the bytecode possible, easy to patch instructions.
• Idea:• Flow-sensitive instruction decoding (“decryption” based on key register).
• Custom decryption routine per handler, diversification.
• Patching requires re-encryption of subsequent bytecode.
Goal: Hinder global analyses of bytecode and patching.25
operand ← [vIP+ 0]
context ← semantics(context,operand)next_handler ← [vIP+ 4]
vIP← vIP+ 8jmp next_handler
26
operand ← [vIP+ 0]
operand ← unmangle(operand, key) key ← unmangle′(key,operand)
context ← semantics(context,operand)next_handler ← [vIP+ 4]
next_handler ← unmangle′′(next_handler, key) key ← unmangle′′′(key,next_handler)
vIP← vIP+ 8jmp next_handler
26
Code Obfuscation Techniques
Mixed Boolean-Arithmetic
Mixed Boolean-Arithmetic
What does this expression compute?
(x⊕ y) + 2 · (x ∧ y)
= x + y
• Boolean identities?
• Arithmetic identities?
• Karnaugh-Veitch maps?
A · 0 = 0
A+ B = A · Bx2 − y2 = (x+ y)(x− y)
28
Mixed Boolean-Arithmetic
What does this expression compute?
(x⊕ y) + 2 · (x ∧ y)= x + y
• Boolean identities?
• Arithmetic identities?
• Karnaugh-Veitch maps?
A · 0 = 0
A+ B = A · Bx2 − y2 = (x+ y)(x− y)
28
Mixed Boolean-Arithmetic
What does this expression compute?
(((x⊕ y) + ((x ∧ y)≪ 1)) ∨ z) + (((x⊕ y) + ((x ∧ y)≪ 1)) ∧ z)
= x + y + z
• Boolean identities?
• Arithmetic identities?
• Karnaugh-Veitch maps?
A · 0 = 0
A+ B = A · Bx2 − y2 = (x+ y)(x− y)
28
Mixed Boolean-Arithmetic
What does this expression compute?
(((x⊕ y) + ((x ∧ y)≪ 1)) ∨ z) + (((x⊕ y) + ((x ∧ y)≪ 1)) ∧ z)= x + y + z
• Boolean identities?
• Arithmetic identities?
• Karnaugh-Veitch maps?
A · 0 = 0
A+ B = A · Bx2 − y2 = (x+ y)(x− y)
28
Mixed Boolean-Arithmetic
Boolean-arithmetic algebra BA[n]
(Bn,∧,∨,⊕,¬,≤,≥, >,<,≤s,≥s, >s, <s, ̸=,=,≫s,≫,≪,+,−, ·)is a Boolean-arithmetic algebra BA[n], for n > 0, B = {0, 1}.
BA[n] includes, amongst others, both:
• Boolean algebra (Bn,∧,∨,¬),• Integer modular ring Z/(2n).
No techniques to simplifysuch expressions easily!
29
Deobfuscation
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:• mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]
rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]• mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]
rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]• not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]
rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]
rcx ← rcx ∧ rbx= (¬ [rbp]) ∧ (¬ [rbp+ 4])
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])= [rbp] ↓ [rbp+ 4]
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])= [rbp] ↓ [rbp+ 4]
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx• pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])= [rbp] ↓ [rbp+ 4]
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags
[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf• pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])= [rbp] ↓ [rbp+ 4]
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
31
Symbolic Execution
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]• jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rcx ← [rbp]rbx ← [rbp+ 4]rcx ← ¬ rcx = ¬ [rbp]rbx ← ¬ rbx = ¬ [rbp+ 4]rcx ← rcx ∧ rbx
= (¬ [rbp]) ∧ (¬ [rbp+ 4])= [rbp] ↓ [rbp+ 4]
[rbp+ 4] ← rcx = [rbp] ↓ [rbp+ 4]
rsp ← rsp− 4[rsp] ← flags[rbp] ← [rsp] = flagsrsp ← rsp+ 4
[rbp + 4] ← ([rbp] ↓ [rbp + 4])
31
Virtual Machine Handler
mov eax, dword [rbp]mov ecx, dword [rbp + 4]cmp r11w, r13wsub rbp, 4not eaxclccmccmp rdx, 0x28b105fanot ecxcmp r12b, r9bcmcand eax, ecxjmp 0xc239mov word [rbp + 8], eaxpushfqmovzx eax, r10wand ax, dipop qword [rbp]sub rsi, 4shld rax, rdx, 0x1bxor ah, 0x4dmov eax, dword [rsi]cmp ecx, r11dtest r10, 0x179708d5xor eax, ebx
jmp 0xfffffffffff63380dec eaxstcror eax, 1jmp 0xffffffffffff2a70dec eaxclcbswap eaxtest bp, 0x5124neg eaxtest dil, 0xe9cmp bx, r14wcmcpush rbxsub bx, 0x49f8xor dword [rsp], eaxand bh, 0xafpop rbxmovsxd rax, eaxtest r13b, 0x94add rdi, raxjmp 0xfffffffffffc67c7lea rax, [rsp + 0x140]cmp rbp, raxja 0x6557bjmp rdi
Virtual Machine Handler
IRDst = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x0 32 64}))) pf = parity(((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)&0xFF)) cf = ((((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))^(RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[63:64] af = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[4:5] @64[(RBP_init+0xFFFFFFFFFFFFFFFC)] = (((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))?({0x2 0 2, parity(((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x0 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x0 11 12, iopl_f_init 12 14, nt_init 14 15, 0x0 15 16, rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x0 22 64},{0x2 0 2, parity(((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x2 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x0 11 12, iopl_f_init 12 14, nt_init 14 15, 0x0 15 16, rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x0 22 64})) RAX = (RSP_init+0x140) of = (((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))[63:64] RCX = {(@32[(RBP_init+0x4)]^0xFFFFFFFF) 0 32, 0x0 32 64} @32[(RBP_init+0x4)] = ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)) RBX = {((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})^RBX_init[0:32]) 0 32, RBX_init[32:64] 32 64} RBP = (RBP_init+0xFFFFFFFFFFFFFFFC) zf = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)?(0x0,0x1)) RSI = (RSI_init+0xFFFFFFFFFFFFFFFC) RDI = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x0 32 64}))) nf = (RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)[63:64] @32[(RSP_init+0xFFFFFFFFFFFFFFF8)] = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})^RBX_init[0:32]) @32[(RSP_init+0xFFFFFFFFFFFFFFFC)] = RBX_init[32:64]
Virtual Machine Handler
IRDst = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x0 32 64}))) pf = parity(((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)&0xFF)) cf = ((((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))^(RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[63:64] af = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[4:5] @64[(RBP_init+0xFFFFFFFFFFFFFFFC)] = (((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))?({0x2 0 2, parity(((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x0 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x0 11 12, iopl_f_init 12 14, nt_init 14 15, 0x0 15 16, rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x0 22 64},{0x2 0 2, parity(((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x2 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x0 11 12, iopl_f_init 12 14, nt_init 14 15, 0x0 15 16, rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x0 22 64})) RAX = (RSP_init+0x140) of = (((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))[63:64] RCX = {(@32[(RBP_init+0x4)]^0xFFFFFFFF) 0 32, 0x0 32 64} @32[(RBP_init+0x4)] = ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)) RBX = {((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})^RBX_init[0:32]) 0 32, RBX_init[32:64] 32 64} RBP = (RBP_init+0xFFFFFFFFFFFFFFFC) zf = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)?(0x0,0x1)) RSI = (RSI_init+0xFFFFFFFFFFFFFFFC) RDI = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x0 32 64}))) nf = (RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)[63:64] @32[(RSP_init+0xFFFFFFFFFFFFFFF8)] = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})^RBX_init[0:32]) @32[(RSP_init+0xFFFFFFFFFFFFFFFC)] = RBX_init[32:64]
M1 = (¬M1) ∧ (¬M2)M1 = (¬M1) ∧ (¬M2)
Mixed Boolean-Arithmetic Expression
int mixed_boolean(int A, int B, int C) { int result;
result = (((1438524315 + ((((1438524315 + C) + 1438524315 * ((2956783114 - -1478456685 * C) | (-1478456685 * (1668620215 - A) - 2956783115))) + A) - 1553572265)) + 1438524315 * ((2956783114 - -1478456685 * ((((1438524315 + C) + 1438524315 * ((2956783114 - -1478456685 * C) | (-1478456685 * (1668620215 - A) - 2956783115))) + A) - 1553572265)) | (-1478456685 * (1668620215 - B) - 2956783115))) - ((1438524315 + (1668620215 - ((((1438524315 + C) + 1438524315 * ((2956783114 - -1478456685 * C) | (-1478456685 * (1668620215 - A) - 2956783115))) + A) - 1553572265))) + 1438524315 * ((2956783114 - -1478456685 * (1668620215 - ((((1438524315 + C) + 1438524315 * ((2956783114 - -1478456685 * C) | (-1478456685 * (1668620215 - A) - 2956783115))) + A) - 1553572265))) | (-1478456685 * B - 2956783115)))) + 1553572265;
return -1478456685 * result - 2956783115;}
Mixed Boolean-Arithmetic Expression
RAX = {((((- ((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0xB9334352)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0xB9334352) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),
Mixed Boolean-Arithmetic Expression
RAX = {((((- ((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0xB9334352)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0xB9334352) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A)|((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x0 32 64}*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x0 32 64}*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),
RAX = (M4 | M0) – M2RAX = (M4 | M0) – M2
Symbolic Execution
⊕ Captures full semantics of executed code
⊕ Computer algebra system, some degree of simplification
⊖ Usability decreases with increasing syntactic complexity
• Artificial complexity (substitution, …)
• Algebraic complexity (MBA)
What if we could reason about semantics only instead of syntax?
34
Symbolic Execution
⊕ Captures full semantics of executed code
⊕ Computer algebra system, some degree of simplification
⊖ Usability decreases with increasing syntactic complexity
• Artificial complexity (substitution, …)
• Algebraic complexity (MBA)
What if we could reason about semantics only instead of syntax?
34
Program Synthesis
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1)→ 3(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
3(1,1,1) ?
(1, 1, 1)→ 3(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
3(1,1,1) ?(1, 1, 1)→ 3
(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
6(2,3,1) ?(1, 1, 1)→ 3
(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
6(2,3,1) ?(1, 1, 1)→ 3(2, 3, 1)→ 6
(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
9?(0,7,2)
(1, 1, 1)→ 3(2, 3, 1)→ 6
(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
9?(0,7,2)
(1, 1, 1)→ 3(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1)→ 3(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z
36
Program Synthesis: A Semantic Approach
We use f as a black-box:
f(x, y, z) := (((x⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1)→ 3(2, 3, 1)→ 6(0, 7, 2)→ 9
We learn a function that has the same I/O behavior:
h(x, y, z) := x+ y+ z36
How to synthesize programs?
Stochastic Program Synthesis
• probabilistic optimization problem
• based on Monte Carlo Tree Search (MCTS)
global maxima
38
Stochastic Program Synthesis
• probabilistic optimization problem
• based on Monte Carlo Tree Search (MCTS)
global maxima
0.340.62
0.71
0.96
0.11
38
Stochastic Program Synthesis
• probabilistic optimization problem• based on Monte Carlo Tree Search (MCTS)
global maxima
0.340.62
0.71
0.96
0.11
38
Let’s synthesize: a+ b mod 8
Program Generation
U→ U+ U | U ∗ U | a | b
• non-terminal symbol: U
• input variables: {a,b}
• candidate programs: a, b, a ∗ b, a+ b, . . .
• intermediate programs: U+ U, U ∗ U, U+ b, . . .
40
Program Generation
U→ U+ U | U ∗ U | a | b
• non-terminal symbol: U
• input variables: {a,b}
• candidate programs: a, b, a ∗ b, a+ b, . . .
• intermediate programs: U+ U, U ∗ U, U+ b, . . .
40
Program Generation
U→ U+ U | U ∗ U | a | b
• non-terminal symbol: U
• input variables: {a,b}
• candidate programs: a, b, a ∗ b, a+ b, . . .
• intermediate programs: U+ U, U ∗ U, U+ b, . . .
40
Program Generation
U→ U+ U | U ∗ U | a | b
• non-terminal symbol: U
• input variables: {a,b}
• candidate programs: a, b, a ∗ b, a+ b, . . .
• intermediate programs: U+ U, U ∗ U, U+ b, . . .
40
Program Generation
U→ U+ U | U ∗ U | a | b
• non-terminal symbol: U
• input variables: {a,b}
• candidate programs: a, b, a ∗ b, a+ b, . . .
• intermediate programs: U+ U, U ∗ U, U+ b, . . .
40
Monte Carlo Tree Search
U
41
Monte Carlo Tree Search
a
U
41
Monte Carlo Tree Search
a0.64
U
41
Monte Carlo Tree Search
a0.64
U
41
Monte Carlo Tree Search
a b0.64
U
41
Monte Carlo Tree Search
a b0.64 0.44
U
41
Monte Carlo Tree Search
a b0.64 0.44
U
41
Monte Carlo Tree Search
a bU*U0.64 0.44
U
41
Monte Carlo Tree Search
a bU*U
(a+a)*(b*a)
0.64 0.44
U
41
Monte Carlo Tree Search
a bU*U0.64 0.440.39
U
41
Monte Carlo Tree Search
a bU*U0.64 0.440.39
U
41
Monte Carlo Tree Search
a bU*U U+U0.64 0.440.39
U
41
Monte Carlo Tree Search
a+(b+b)
a bU*U U+U0.64 0.440.39
U
41
Monte Carlo Tree Search
a bU*U U+U0.64 0.440.39 0.70
U
41
Monte Carlo Tree Search
a bU*U U+U0.64 0.440.39 0.70
U
41
Monte Carlo Tree Search
a bU*U U+U0.64 0.440.39 0.70
U
41
Monte Carlo Tree Search
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.70
U
41
Monte Carlo Tree Search
(a+a)+((a*b)+b)
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.70
U
41
Monte Carlo Tree Search
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.70
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.70
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.57
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.57
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+(U+U)
0.64 0.440.39 0.57
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.57
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.57
0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.57
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.57
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.62
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.62
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U+U)
0.64 0.440.39 0.62
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.62
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.62
0.73 0.44
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.62
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.62
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.69
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.64
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+aU+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.87
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.69
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.70
0.73 0.44 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.70
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.70
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.69
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.69
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.69
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.69
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a b+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.69
0.73 0.56 0.690.81
0.75
U
41
Monte Carlo Tree Search
a bU*U U+U
U+b U+(U*U)U+a
(U*U)+a b+a
U+(U+U)
a+(U+U)0.68
0.64 0.440.39 0.69
0.73 0.56 0.690.81
0.75 1.00
U
41
Score Calculation
?
(2,2)
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(2,2)
4
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(2,2)
4 6
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(2,2)
4 6
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(5,3)
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(5,3)
0
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(5,3)
0 3
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(5,3)
0 3
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(3,0)
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(3,0)
3
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(3,0)
3 3
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(3,0)
3 3
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Score Calculation
?
(3,0)
3 3
similarity(4, 6) = 0.78
similarity(0, 3) = 0.33
similarity(3, 3) = 1.0
average score: 0.70
42
Output Similarity: similarity(O,O′)
11110111100100001000110010000000
11100010000110011110101100000000
Let’s compare:
43
Output Similarity: similarity(O,O′)
11110111100100001000110010000000
11100010000110011110101100000000
Are they in the same range?
43
Output Similarity: similarity(O,O′)
11110111100100001000110010000000
11100010000110011110101100000000
How many bits are different?
43
Output Similarity: similarity(O,O′)
11110111100100001000110010000000
1110001000011001111010110000000000010101011101101010000110000000
How close are they numerically?
43
DEMO
How to synthesize obfuscated code?
Obtaining Code
static disassembly
46
Obtaining Code
static disassembly
54 68 69 73 20 64 6f65 73 6e 27 74 20 6c6f 6f 6b 20 6c 69 6b65 20 61 6e 79 74 6869 6e 67 20 74 6f 206d 65 2e de ad be ef
memory dump
46
Obtaining Code
static disassembly
54 68 69 73 20 64 6f65 73 6e 27 74 20 6c6f 6f 6b 20 6c 69 6b65 20 61 6e 79 74 6869 6e 67 20 74 6f 206d 65 2e de ad be ef
memory dump instruction trace
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbp
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x254xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1
46
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rbx
?(0,5) -1
?(2,7) -3
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rbx
?(0,5) -1
?(2,7) -3
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rbx
?(0,5) -1
?(2,7) -3
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rbx
?(0,5) -1
?(2,7) -3
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rbx
?(0,5) -1
?(2,7) -3
���47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx
•
and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rbx
?(0,5) -1
?(2,7) -3
���
rbx ← ¬ m0
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rcx
?(3,6) -8
?(1,1) -2
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rcx
?(3,6) -8
?(1,1) -2
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rcx
?(3,6) -8
?(1,1) -2
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rcx
?(3,6) -8
?(1,1) -2
���47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx• and rcx, rbx
•
mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
? rcx
?(3,6) -8
?(1,1) -2
���
rcx ← ¬ (m0 ∨m1)
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
?
?(0,0) -1
?(4,3) -8
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
?
?(0,0) -1
?(4,3) -8
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
?
?(0,0) -1
?(4,3) -8
���
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
?
?(0,0) -1
?(4,3) -8
���47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx
•
not rbx
•
and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
?
?(0,0) -1
?(4,3) -8
���
M0 ← ¬ (m0 ∨m1)
47
Learning Code Semantics
•
__handle_vnor:
•
mov rcx, [rbp]
•
mov rbx, [rbp + 4]
•
not rcx• not rbx• and rcx, rbx• mov [rbp + 4], rcx
•
pushf
•
pop [rbp]
•
jmp __vm_dispatcher
Handler performing nor(with flag side-effects)
rbx ← ¬ m0
rcx ← ¬ (m0 ∨m1)
M0 ← ¬ (m0 ∨m1)
47
I/O Sampling
MiasmUnicornangr
<your tool here> Metasm
WinDbgx64dbg
48
Instruction Trace: Forced Execution
call checkcmp eax, 0�deadbeefje ��block_a
��block_b: ……
��block_a: ……
true false
49
Instruction Trace: Forced Execution
call checkcmp eax, 0�deadbeefje ��block_a
ignore
force
��block_a: ……
49
Instruction Trace: Forced Execution
call checkcmp eax, 0�deadbeefje ��block_a
ignore
��block_b: ……
force
49
Syntia
• program synthesis framework for code deobfuscation• written in Python• random I/O sampling for assembly code• MCTS-based program synthesis
https://github.com/RUB-SysSec/syntia
DEMO
Breaking Virtual Machine Obfuscation
Reminder: Virtual Machine Hardening
Hardening Technique #1 – Obfuscating individual VM components.
!
Hardening Technique #2 – Duplicating VM handlers.
!
Hardening Technique #3 – No central VM dispatcher.
!
Hardening Technique #4 – No explicit handler table.
!
Hardening Technique #5 – Blinding VM bytecode.
!
53
#1: Obfuscating Individual VM Components
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
54
#1: Obfuscating Individual VM Components
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
u64 res = M13 + M14u64 res = M13 + M14
54
#2: Duplicating VM Handlers
handle_vpushhandle_vaddhandle_vxorhandle_vexithandle_vpop
…
?
?
?
?
?
?
?
?
?
55
#2: Duplicating VM Handlers
handle_vpushhandle_vaddhandle_vxorhandle_vexithandle_vpop
…
vm_sub16
?
vm_add64
vm_xor32
?
vm_shl16
vm_add64
?
vm_add8
55
#2: Duplicating VM Handlers
handle_vpushhandle_vaddhandle_vxorhandle_vexithandle_vpop
…
vm_sub16
?
vm_add64
vm_xor32
?
vm_shl16
vm_add64
?
vm_add8
55
#5: Blinding VM Bytecode
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
No influence on underlying code’s semantics
56
#5: Blinding VM Bytecode
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
mov r9, rbp…add r9, 0…add eax, dword ptr [r9]…add eax, 0x3f505c07…mov r12, rbp…add r12, 0add dword ptr [r12], eax
No influence on underlying code’s semantics
56
#5: Blinding VM Bytecode
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
mov r9, rbp…add r9, 0…add eax, dword ptr [r9]…add eax, 0x3f505c07…mov r12, rbp…add r12, 0add dword ptr [r12], eax
No influence on underlying code’s semantics
56
#3: No Central VM Dispatcher
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
Split at indirect control-flow transfers
57
#3: No Central VM Dispatcher
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
Split at indirect control-flow transfers
57
#3: No Central VM Dispatcher
mov r15, 0x200xor r15, 0x800mov rbx, rbpadd rbx, 0xc0mov rbx, qword ptr [rbx]mov r13, 1mov rcx, 0mov r15, rbpadd r15, 0xc0or rcx, 0x88add rbx, 0xbmov r15, qword ptr [r15]or r12, 0xffffffff80000000sub rcx, 0x78movzx r10, word ptr [rbx]xor r12, r13add r12, 0xffffadd r15, 0mov r8, rbpsub rcx, 0x10or r12, r12or rcx, 0x800movzx r11, word ptr [r15]xor rcx, 0x800mov r12, r15add r8, 0xor r12, 0xf0mov rbx, 0x58add r11, rbpxor rbx, 0x800and r12, 0x20add rbx, 0x800mov r11, qword ptr [r11]add rbx, 1and r12, r9mov rdx, 1xor r10d, dword ptr [r8]sub r9, r11pushfq xor rbx, 0xf0xor rbx, 0x800and rdx, r8mov r12, rbpxor rdx, 0x20sub rbx, 4add r11, 0x2549b044or rbx, 0x78and rdx, r10mov rax, 0add r12, 0x42
mov r15, rdxxor r10d, dword ptr [r12]sub r15, 0x800or rdx, 0x400mov rsi, 0x200mov r14, rbpsub rsi, rsimov rdi, rbpmov r8, 0x400sub rsi, r9sub r8, rsiadd r14, 0add rsi, raxand r8, 0x88xor rsi, r14mov rsi, rbpadd rdi, 0xc0sub r8, rdiadd r8, 0x78add rsi, 4mov rcx, 0x200mov rdi, qword ptr [rdi]add dword ptr [rsi], 0x2549b044xor rcx, 0xf0add rcx, r10add rdi, 6mov r8, 0x400mov ax, word ptr [rdi]mov r8, 1mov rsi, rbpand rcx, 8sub rcx, 1mov rcx, rdiadd rsi, 0x29or rcx, 8mov r8, rsiadd rcx, 4mov r13b, byte ptr [rsi]cmp r13b, 0xd2jbe 0x204and r8, r13or rcx, r13or rcx, 4mov rbx, rbpor rcx, 4sub rcx, 0x400add rax, rbpor rcx, 0x80add rcx, 0x80add rbx, 0x5a
add r8, 1or r8, 0x78add word ptr [rbx], r10wmov r15, raxsub r15, raxpop r9mov rcx, rbpadd rcx, 0xc0mov rcx, qword ptr [rcx]add rcx, 8movzx r10, word ptr [rcx]mov r9, rbpadd r9, 0xor r10d, dword ptr [r9]and rdi, 0xffffffff80000000sub r13, 0xf0mov rsi, 0sub r13, 0x20mov rbx, rbpor r13, 0x88and rcx, 8mov r8, 0x58add rbx, 0xc0mov rbx, qword ptr [rbx]sub rcx, 0x20add rdi, 0x80sub r13, 0x10add rbx, 8mov si, word ptr [rbx]or r9, 0xffffsub r9, 1mov r9, rbpmov r12, 0x58add r9, 0sub r13, 0x80mov r15, r13or rcx, r12xor esi, dword ptr [r9]mov r10, rbpadd r10, 0xccsub r15, 0x20xor esi, dword ptr [r10]xor r13, 0x90add rdi, 0x10mov r14, rsimov rdx, rbpadd rdx, 0add dword ptr [rdx], esixor r12, 1mov r13, r15
or r14, r14mov rax, rbpand rcx, r13add rax, 4sub r8, -0x80000000add r13, 0xffffand rcx, 0x20mov r10, rbpadd r13, r15add r14, r8add r10, 0x89xor word ptr [r10], sixor rdx, r11mov rsi, rbpsub rdx, rbxand rax, 0x40or rbx, 0xf0add rsi, 0x5amov r8, rcxmovzx rsi, word ptr [rsi]mov rax, 0x200mov r14, rbpand rax, rdxand rcx, 0x20add r14, 0x89or rax, 0x40xor si, 0x7a28add rdx, 0x78add rdx, 0x20movzx r14, word ptr [r14]mov rcx, 0x58add rsi, rbpxor rax, rdxadd r8, 0x80mov r15, rsiadd r14, rbpadd r8, r15mov rbx, 0and rdx, 0x10mov r14, qword ptr [r14]add qword ptr [rsi], r14pushfq xor r11, r14add r15, r14mov r13, 0x12mov r8, 0and r14, 0x88and r13, 0x40add r13, 1mov rdx, rbp
mov r14, 0x200add rdx, 0xc0add r11, r14or r15, 0x88mov rdx, qword ptr [rdx]add rdx, 0xaadd r11, 0x78mov r8b, byte ptr [rdx]cmp r8b, 0je 0x49emov rdx, rbpor r11, 0x40and r15, 1xor r11, 0x10add rdx, 0xc0or r14, 4mov r15, 0x12mov rdx, qword ptr [rdx]sub r11, r8add rdx, 4or r11, 0x80mov r8w, word ptr [rdx]mov r14, r8add r8, rbpxor r13, 4pop r10mov qword ptr [r8], r10jmp 0x4aexor rsi, 0x88xor rbx, 0xffffffff80000000add rsi, 0x78mov r10b, 0x68mov r9, 0x12or rbx, r10and r15, 0x78mov r14, rbpor r9, 8add r14, 0x29xor rbx, rdiand r15, 0x3for byte ptr [r14], r10bmov rax, 0x58mov r8, rbpsub rsi, 0x78add r8, 0x127mov rdi, rbxxor rbx, 0x3fmov r8, qword ptr [r8]xor rsi, 1mov rax, rbp
add r15, 0x3for r15, 0xffffffff80000000and rsi, r9add rax, 0xc0add rdi, r14or rsi, 1mov rax, qword ptr [rax]and rdi, 0x7fffffffadd rax, 2sub rsi, 4or rbx, rsimovzx rax, word ptr [rax]mov r9, rbpmov r13, 0x200mov r10, 0x58add r9, 0or r10, 0x20add eax, dword ptr [r9]xor r10, 0x40add eax, 0x3f505c07add r15, 0x88mov r12, rbpor rdi, 0x90add r12, 0or rbx, 0x80add rdi, 0xf0mov r13, 0x400add dword ptr [r12], eaxand rsi, r8or r10, 8and rbx, 0x20and rax, 0xffffmov r11, 0add r13, r8or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
or rbx, 1shl rax, 3add r8, raxor rbx, r15sub r15, 0x10or r11, r13mov rbx, qword ptr [r8]mov rdx, rbpsub r13, 0x80add rdx, 0xc0add qword ptr [rdx], 0xdjmp rbx
Split at indirect control-flow transfers
57
#4: No Explicit Handler Table
58
#4: No Explicit Handler Table
58
#4: No Explicit Handler Table
vm_add64
vm_add64vm_add64
vm_mul32
vm_mul32vm_nor32
vm_nor32
vm_nor32
vm_nor32
58
Conclusion
Take Aways
1. syntactic complexity insignificant
2. semantic complexity low within specified boundaries
3. learn underlying code’s semantics despite obfuscation
60
Take Aways
1. syntactic complexity insignificant
2. semantic complexity low within specified boundaries
3. learn underlying code’s semantics despite obfuscation
60
Take Aways
1. syntactic complexity insignificant
2. semantic complexity low within specified boundaries
3. learn underlying code’s semantics despite obfuscation
60
Take Aways
1. syntactic complexity insignificant
2. semantic complexity low within specified boundaries
3. learn underlying code’s semantics despite obfuscation
Program Synthesis as an orthogonal approach to traditional techniques
60
Limitations
Implementation Shortcomings
choosing meaningful code window boundaries
(x⊕ y) + 2 · (x ∧ y) vs. (x⊕ y) + 2
constantsx+ 15324326921
control-flow operationsx ? y : z
62
Limitations
?(1,1) 4
?(1,1) 2
non-determinism
x
63
Limitations
AES
semantic complexity
?(1,1) 4
?(1,1) 2
non-determinism
x
63
Limitations
AES
semantic complexity
?(1,1) 4
?(1,1) 2
non-determinism
x
x 0{1, x �� constant0, otherwise
point functions
63
Do try it at home!
Summary
• obfuscation techniques (opaque predicates, VM, MBA)• symbolic execution for syntactic deobfuscation• program synthesis for semantic deobfuscation
https://github.com/RUB-SysSec/syntia
65